Leveraging the BlueVoyant Platform and Deep Expertise to Monitor and Investigate Threats That Matter
DaaS (Detection-as-a-Service) from BlueVoyant collects logs from applications and on-premise and/or cloud infrastructure to enable advanced threat detection. It provides the power of a SIEM without the complexity.
A better, more cost-effective solution for IT teams that lack the expertise or budget to leverage a full SIEM solution, DaaS provides correlation and analysis of disparate log data with live monitoring by 24x7 global cybersecurity operations centers. This service covers endpoints, network perimeter security, and users.
BlueVoyant democratizes next-generation cybersecurity by delivering services that offer the same level of protection enjoyed by large enterprises available to smallto-mid-sized businesses at a fraction of the cost. Detection-as-a-Service from BlueVoyant provides a better, more cost-effective solution for IT teams who want SIEM-like capabilities without the expertise and expense required to do it themselves.
BlueVoyant security analysts monitor network and security devices, track users, scan applications, and provide you with real-time, security event analysis across your monitored security infrastructure 24/7. This service is supported by the BlueVoyant technology platform, a cloud-based ingestion, processing, and analysis system. This web-based platform generates reports based on the alerts that are analyzed by experts in BlueVoyant’s geographically diverse security operations centers (SOCs).
Detection-as-a-Service includes a proven implementation methodology which includes configuration necessary for provisioning of software agents; vendor software updates; collection, reporting, and notification of security events and device health events across your enterprise. Tools for selfservice reporting and analysis are provided through Wavelength™, BlueVoyant’s client portal.
- Log Collection: Software agents are deployed on devices to enable collection of logs for security event monitoring. Using BlueVoyant virtual appliances, logs are aggregated and stored within Wavelength™, the BlueVoyant client portal.
- Security Event Monitoring: Data is filtered, normalized, correlated, and analyzed to help identify anomalous, suspicious, or malicious behaviors indicative of threats in the monitored environment.
- Reputational Detection: Utilizing proprietary and open source threat intelligence, BlueVoyant identifies threats based upon reputation by correlating inbound and outbound network traffic to monitor for suspicious and malicious domains and IP addresses.
- Investigation and Notification: Once a suspicious event is detected or an automatic prevention activity occurs, an alert is generated and a security operations center analyst will investigate to determine whether or not there is a true positive, benign, or false positive and the client will be notified.
- Health Monitoring: BlueVoyant monitors installed endpoint agent communications using the technology platform. We monitor log sources and generate an alert when a log source’s output has not been received in a specified interval.
- Log Retention and Archiving: All log data collected is stored for a period of 30 days for security event analysis and retained in archive storage for a period of one year, or as uniquely specified.
- Indicator Enrichment: Indicators of compromise associated with detections within the monitored environment are automatically extracted, scored, and enriched leveraging open source and proprietary Threat Intelligence. Enriched indicators, assigned a reputation and classification, are visible within Wavelength™.
SIEM-Like Protection with Real Transparency
Clients can observe, in real time, how BlueVoyant's security analysts are keeping their enterprise safe, 24/7. With DaaS, clients can see more through a single-pane-of glass, enabling greater insights. They can break down incomplete and siloed data into an integrated view to prioritize improvements.
Security Event Monitoring
Detect potential threat actors based upon reputation established by correlating inbound and outbound network traffic and monitoring of suspicious and malicious domains and IP addresses.
Investigation and Notification
Automatic alerts are generated for the SOC where security analysts investigate triggering events to confirm threat actor behavior. Notifications are tailored to the client’s preference and recorded in Wavelength™
Leverage Splunk Enterprise Platform
As a component of the BlueVoyant Platform, Splunk Enterprise is used to enable log collection, detect threat actors, and facilitate analysis.
Benefit from Industry Experts
BlueVoyant team of analysts support global Security Operation Centers (SOCs) that initiate investigations into security alerts. The orchestration and automation of security events allow their experts to zero in on the critical alerts that put your organization at risk. BlueVoyant leverage proprietary, open-source, and Dark Web intelligence to expedite, triage, and enrich investigations conducted by the SOC.
Prevent And Remediate
As part of BlueVoyant's commitment to democratizing cybersecurity, BlueVoyant’s services are designed to be layered; however, each service offering provides significant value as a stand-alone solution. MDR+ adds remote breach prevention and remediation services for endpoints.
- Detect security events with best-of-breed Next Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR) solutions.
- Block and contain security events automatically.
- Remediate endpoint incidents and apply proactive Threat Hunting - led by BlueVoyant's investigators and cyber.
- Receive cyber event remediation and a report on how to improve your security posture.
When to Choose
Organizations come to BlueVoyant because they lack the technology and expertise to keep their networks safe. Their current technology is no longer as effective as it once was and has grown too complex to manage due to internal resource constraints.
Rather than purchase yet another point solution that’s not tailored for their organization's needs, they turn to Detection-as-a-Service to achieve these same levels of protection that large enterprises enjoy at a fraction of the cost.
Detection-as-a-Service is supported by expert analysts who operate 24 hours a day, 7 days a week, across multiple locations within Security Operations Centers (SOC). Certifications held by the team include SANS GIAC, EC-Council, and ISC-2, as well as others.
BlueVoyant experts leverage Wavelength™, BlueVoyant’s client portal, to provide real-time visibility into detected alerts and to confirm incidents. This webbased portal enables approved client employees to interact with BlueVoyant’s security operations center analysts, view all detected assets, and if applicable, view vulnerabilities.
Dashboards (representing a variety of content such as event volume, alert volume, detected assets, and analyst response actions) provide a snapshot of realtime company security posture. Reports are available through Wavelength™ and include client environment content related to alerts, incidents, indicators, assets, and vulnerabilities.
Updates on the threat landscape, sectorial, and intelligence summary reports are developed by the BlueVoyant Threat Fusion Cell - an elite team of cyber intelligence analysts and threat researchers focused on identifying and prioritizing information about threats using BlueVoyant proprietary and open source intelligence.
Orchestration and automation is a key component of our technology platform; it allows the BlueVoyant SOC to accelerate triage, reduce false positives, and improve mean-time-to-resolve (MTTR).
BlueVoyant’s SOCs and engineering teams have developed automations to support Detection-as-aService and continue to deliver new automations to improve the system daily. For example, an automated Emotet investigation helps with threat confirmation and faster response, which allows quicker triage to specific outbreak strains.
We have custom FFIEC and NCUA-ACET automations to assist financial institutions of every size. The growing number of security compliance management challenges adversely impact compliance. The mandatory risk assessments and compliance reports can be burdensome, but BlueVoyant has automated many of the FFIEC and NCUA-ACET compliance controls to reduce the timeintensive reporting process that is crucial.
Through a single-pane-of-glass view of your endpoint and network environment, you can address the need for access control, configuration control, and protective control compliance in order to reduce the risk of data breaches and malware attacks. You can help safeguard customer information and reduce fraud and identity theft.
During Introduction, key BlueVoyant and enterprise staff will engage you to learn your priorities, expectations, and deadlines. It is at this juncture that project timelines are established for both parties.
To begin, we will collect information specific to your business. This information will help us to provide organization-specific threat intelligence.
BlueVoyant will collect information about you to better understand your potential threats. This will include public and private information; such as your organization’s industry, segment, key employees, key systems, and what types of digital assets you own, including domains and IP address segments.
Client Experience Team | Primary Support
At Introduction you will be assigned an advisor who will act as your personal consultant and will help you as you interact with and navigate BlueVoyant services. Your advisor will meet with you regularly to understand the evolving goals of your security program and will track key results. Your advisor will engage you should you have any significant security events occur.
Implementation Project Manager
At the beginning of your DaaSSM deployment, a BlueVoyant Implementation Project Manager will be assigned to you to assist you through the on-boarding process. He or she will help you establish timeline/benchmark goals and select the sources and devices that will be on-boarded. His/her advice will help with matching and prioritizing work needed with your specific goals.
Technical Account Manager
A BlueVoyant Technical Account Manager will be assigned to you to serve as your main point of contact beyond direct calls to the SOC. The technical account manager will assist with specific technology inquiries.
The Provisioning Phase focuses on the deployment of software to enable log collection and the configuration of devices and applications to deliver logs to the BlueVoyant technology platform for storage and analysis.
This phase includes the installation of BlueVoyant virtual appliances and establishes connectivity to BlueVoyant. Deployment of software agents to the identified endpoints and servers enable log collection and configuration of devices and applications to facilitate collection of logs.
We collect all network traffic entering or leaving the environment, which is typically provided by means of access to firewalls (or equivalent) and all activities occurring on your endpoints including behavioral detections. This visibility can be provided either through Bluevoyant’s managed detection and response services (available as a separate service), or by means of allowing us access to your deployed, next-generation antivirus agents or endpoint detection and response agents.
The BlueVoyant virtual appliance is a software package that enables log collection from external sources and delivers it to the BlueVoyant Technology Platform. It enables log collection and monitoring for devices and systems in which deployment of a log collection agent is not possible, such as a router or firewall.
We also use collection agents - software that is installed directly on client endpoints and servers to enable log collection and delivery to the BlueVoyant technology platform. This information is automatically aggregated and then BlueVoyant analysts provide a set of correlations and detections for commonly supported sources and platforms.
Nonstandard log sources may require our consultants or engineers to work with you to understand your unique set up, important event criteria and any custom reporting or real-time alerting requirements. If you require nonstandard log sources, Managed SIEM may be a better option for you. Our consultants and engineers can work with you to define important event criteria and any custom reporting or real-time alerts you need.
This most often includes configuration of network devices, such as firewalls, to direct Syslog content to a BlueVoyant virtual appliance for log collection.
Once all collection software has been deployed and sources have been appropriately configured to enable detection, an audit is performed to ensure system readiness.
BlueVoyant Engineering implements and delivers new correlations on a regular basis; requests for new correlations are prioritized by our product management process. If you have urgent correlations that you would like BlueVoyant to prioritize, we would be happy to provide pricing for this additional service.
During Tuning, BlueVoyant will use the first 14-30 days post installation to identify a baseline of the environment and familiarize ourselves with your technology set and its alerts. Tuning is a process of factoring out some of the expected noise of the client’s environment and optimizing our service to provide better visibility and anomaly detection.
Once the collection and agent software has been deployed onto your environment, identification and contextualization of assets can occur. This includes identifying “Key Terrain” devices and applications as well as tagging assets and assigning asset criticality.
Please note, Detection-as-a-Service is limited to monitoring the devices and sources subscribed for service as defined in detail in your Service Order. It does not include management or monitoring of any unsubscribed endpoint or intermediary log sources.
Robust, Relevant, and Right-Sized Cybersecurity Options for Businesses of All Sizes
As part of BlueVoyant's commitment to democratizing cybersecurity, BlueVoyant’s services are designed to be mutually reinforcing but do provide significant value as stand alone solutions. Many clients choose additional services that are designed to work together to enhance and strengthen their security posture; this decision is generally based upon the size and expertise level of their IT staff. The addition of BlueVoyant's Managed Detection and Response (MDR+) service adds protection to your DaaS - no longer just detecting, but protecting your enterprise.
Download the BlueVoyant Detection-as-a-Service (DaaS) Brochure (.PDF)